CVE-2015-1832

CWE-399CWE-611XML External Entity (XXE)11 documents8 sources
Severity
9.1CRITICAL
EPSS
0.8%
top 25.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Derby
Timeline
PublishedOct 3
Latest updateMay 13

Description

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

Mavenorg.apache.derby:derby< 10.12.1.1
NVDapache/derby20 versions+19
Debianderby< 10.13.1.1-1+3

🔴Vulnerability Details

4
OSV
Improper Restriction of XML External Entity Reference in Apace Derby2022-05-13
GHSA
Improper Restriction of XML External Entity Reference in Apace Derby2022-05-13
OSV
CVE-2015-1832: XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 102016-10-03
CVEList
CVE-2015-1832: XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 102016-10-03

📋Vendor Advisories

4
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Platform (Apache Derby) — CVE-2015-18322020-10-15
Oracle
Oracle Oracle Knowledge Risk Matrix: Web Applications - InfoCenter (Apache Derby) — CVE-2015-18322020-04-15
Red Hat
Derby: XXE attack possible by using XmlVTI and the XML datatype2015-07-17
Debian
CVE-2015-1832: derby - XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby b...2015

💬Community

2
Bugzilla
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype [fedora-all]2016-10-04
Bugzilla
CVE-2015-1832 Apache Derby: XXE attack possible by using XmlVTI and the XML datatype2016-10-04
CVE-2015-1832 (CRITICAL CVSS 9.1) | XML external entity (XXE) vulnerabi | cvebase.io